Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg3NnItaGo0NS1mdzdn
Sandbox Breakout / Arbitrary Code Execution in safer-eval
All versions of safer-eval
are vulnerable to Sandbox Escape leading to Remote Code Execution. It is possible to escape the sandbox by forcing exceptions recursively in the evaluated code. This may allow attacker to execute arbitrary code in the system.
Recommendation
The package is not suited to receive arbitrary user input. Consider using an alternative package.
Permalink: https://github.com/advisories/GHSA-876r-hj45-fw7gJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg3NnItaGo0NS1mdzdn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-876r-hj45-fw7g
References:
- https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a
- https://www.npmjs.com/advisories/1221
- https://github.com/advisories/GHSA-876r-hj45-fw7g
Affected Packages
npm:safer-eval
Dependent packages: 24Dependent repositories: 17,794
Downloads: 48,533 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6